[SRU Hirsute, Focal/linux-oem-5.10, Groovy, Focal/linux-oem-5.6, Focal, Bionic 0/4] CVE-2021-27363, CVE-2021-27364, CVE-2021-27365

[Thadeu Lima de Souza Cascardo]

[Impact]
Unprivileged users can use the iscsi_transport handle to leak kernel address,
create/close iscsi sessions, and write out of bonds when reading sysfs iscsi
attributes.

[Fix/Backport]
3 commits fix the problem, minimal backporting was needed because of missing
commit 82b8cf40bfe1, but the commit that introduces sysfs_emit was needed from
4.15 to 5.8, and needed some context adjustment on 4.15 because of missing
*change_owner functions.

[Test case]
Leaking the address by reading /sys/class/iscsi_transport/tcp/handle was not
possible anymore. Also, creating a session also failed, and even as root,
setting a name larger than PAGE_SIZE failed.

[Potential regression]
iscsi users could fail to operate as unprivileged users.

Chris Leech (2):
  scsi: iscsi: Verify lengths on passthrough PDUs
  scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE

Joe Perches (1):
  sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output

Lee Duncan (1):
  scsi: iscsi: Restrict sessions and handles to admin capabilities

 Documentation/filesystems/sysfs.txt |   8 +-
 drivers/scsi/libiscsi.c             | 148 ++++++++++++++--------------
 drivers/scsi/scsi_transport_iscsi.c |  39 ++++++--
 fs/sysfs/file.c                     |  55 +++++++++++
 include/linux/sysfs.h               |  16 +++
 5 files changed, 178 insertions(+), 88 deletions(-)

-- 
2.27.0